Story location: http://www.wired.com/news/infostructure/0,1377,57897,00.html

Mar. 04, 2003 PT

Why bother pounding at a website in search of obscure holes when you can
simply waltz in through the front door?

Hackers have recently done just that, turning to Google to help simplify the
task of honing in on their targets.

"Google, properly leveraged, has more intrusion potential than any hacking
tool," said hacker Adrian Lamo, who recently sounded the alarm.

The hacks are made possible by Web-enabled databases. Because
database-management tools use canned templates to present data on the Web,
typing specific phrases into Internet search tools often leads a user
directly to those templated pages. For example, typing the phrase "Select a
database to view" -- a common phrase in the FileMaker Pro database interface
-- into Google recently yielded about 200 links, almost all of which led to
FileMaker databases accessible online.

In a few cases, the databases contained sensitive information. One held the
addresses, phone numbers and detailed biographies of several hundred
teachers affiliated with Apple Computer. It also included each teacher's
user name and password. The database was not protected by any form of security.

Another search result pointed to a page served by the Drexel University
College of Medicine, which linked to a database of 5,500 records of the
medical college's neurosurgical patients. The patient record included
addresses, telephone numbers and detailed write-ups of diseases and
treatments. Once Google pointed the visitor to the page, the hacker merely
needed to type in an identical user name and password (in short, the name of
the database) in order to access the information.

Both databases were Web-enabled using the FileMaker Pro Web Companion, a
component of the $299 FileMaker Pro application, which is primarily targeted
at beginning users. According to FileMaker, the Web Companion promises to
"convert a single-user database into a multi-user networked solution in one
simple step.... Authorized users can search, edit, delete and update records
using most popular Web browsers."

Apple did not return calls requesting comment, but the teacher database was
apparently taken offline on Friday afternoon.

Drexel University immediately shut down its database upon being informed of
the vulnerability. Spokeswoman Linda Roth said university officials had not
been aware that it existed online, as it was not a sanctioned university
site. Drexel's dean also sent a memo to all employees reiterating the
university's policy against unapproved databases. The school is canvassing
its network to ensure no other databases have been posted online, Roth said.

A FileMaker spokesman said the company tries its best to make users aware of
security issues.

"We're critically aware of security and the need for it," said Kevin Mallon.
"We publish white papers and software updates on our site, and we send
updates to our registered users about the need for security."

But Mallon suggested that configuring access rights and selecting
appropriate passwords are ultimately the user's responsibility. "We
constantly emphasize with our users to be aware of the extent of the
exposure they want -- or more importantly, the exposure they do not want --
for all databases published on the Web."

Regarding the vulnerable Drexel database, Fred Langston, senior principal
consultant of Guardent, an information security services company, said part
of the reason the incident occurred might have been because such
institutions typically encourage openness with regard to knowledge sharing.

"We've done a lot of work at universities and teaching hospitals, and it's
the hardest environment to impose security, because they tend to have an
open information-sharing model," Langston said. "It makes it very difficult
to impose restrictions on data: In a teaching environment, that's how people
learn and extend their knowledge.

"Even if (the vulnerability) hadn't been exposed through Google, it would
have been exposed eventually."

A Google spokesman said the company was aware of the situation, and that it
provides tools that let webmasters remove inadvertently published
information from Google's index within about 24 hours. Tools that allow for
even speedier removal are in the works.

Removing links after the fact, though, isn't a very elegant solution, Lamo said.